DEFAULT 
ROUTE 



SITE1 

100.10.1.0/24 



ROUTER 1 



SITE 4 
100.10.5.0/24 




DECODING 



ENCRYPTION 




ROUTER 2 



REPEATING 

POINT 
100.10.2.0/24 



SITE 3 
100.10.4.0/24 



TERMINAL 
11 




DEFAULT 
ROUTE 




SITE 2 
100.10.3.0/24 



ROUTER 3 



TERMINAL TERMINAL \ TERMINAL TERMINAL 



TERMINAL 
12 



13 41 TERMINAL 43 
42 



31 



TERMINAL 
32 



TERMINAL 
33 



FIG. 1 




FIG. 2 



SITE 4 
100.10.5.0/24 




TERMINAL 11 TERMINAL 12 TERMINAL 13 TERMINAL 31 TERMINAL 32 TERMINAL 33 



FIG. 3 



SPD (SECURITY POLICY DATABASE) 



START POINT IP ADDRESS 


END POINT IP ADDRESS 


LINK NO. 


POLICY 


PROTOCOL 


DIRECT FLAG 


100.10.1.0/24 


100.10.3.0/24 


1 


ENCRYPTION 


ANY 


DEFAULT 


100.10.1.0/24 


100.10.3.0/24 


2 


ENCRYPTION 


ANY 


DIRECT 


100.10.1.0/24 


100.10.5.0/24 


3 


NON-ENCRYPTION 






100.10.1.0/24 


100.10.6.0/24 




DESTRUCTION 







FIG. 4 



DDT (DEFAULT/DIRECT TABLE) 



DESTINATION IP ADDRESS 


TRANSFER DESTINATION IP ADDRESS 


POLICY 


IDENTIFICATION FLAG 


DRIVE REQUEST 




100.10.3.0/24 


100.10.3.0/24 


ENCRYPTION 


DEFAULT 






100.10.4.0/24 


100.10.4.0/24 


ENCRYPTION 


DIRECT 


OFF 





























FIG. 5 



SAD (SECURITY ASSOCIATION DATABASE) 



END POINT IP ADDRESS 
OF EXTERNAL HEADER 


LINK NO. 


CLASS OF 
IPsec PROTOCOL 


SPI VALUE 


OTHER SA PARAMETER 


DIRECT INDICATION 


100.10.2.1 


1 


ESP 


0x32e9a7c6 


• • • • 


DEFAULT 


100.10.3.1 


2 


ESP 


0x32e9a7c8 


• • • • 


DIRECT 


100.10.5.1 


3 










100.10.6.1 













SPI: SECURITY PARAMETER INDEX 

ESP: ENCAPSULATING SECURITY PAYLOAD 



FIG. 6 



RECEIVE THE PACKET AS THE 
OBJECT OF ENCRYPTION 




SELECT 
DEP 



SAD/SPD 



SET THE TUNNEL 
SETTING DRIVE REQUEST 



0 POLICY INFORMATION ABOUT 
PACKET COMMUNICATION 
IS SETTOTHE SAD 
(2) DEFAULT IS SET TO THE DIRECT 
^ FLAG AND THE LINK INFORMATION 
OF THE SAD IS ALSO SET 



S4- 



SELECT THE DIRECT ROUTE 
DEPENDING ON THE 
SAD/SPD INFORMATION 



HE DEFAULT ROUTE 
NDINGONTHE 
INFORMATION 



COUNT UP THE NUMBER OF 
PACKETS USING THE 
DEFAULT ROUTE 



SELECTTHE DIRECT ROUTE 
DEPENDING ON THE 
SAD/SPD INFORMATION 



COUNT UP THE NUMBER OF 
PACKETS USING THE 
DIRECT ROUTE 



S7 



■S8 



-S5 



•S6 



OUTPUT THE RECEIVED 
PACKETS TO THE DESIRED 
LINK 



IndI 



•S9 



FIG. 7 



S21 

A 



ACCEPT THE 
DIRECT TUNNEL 
SETTING REQUEST 



GENERATE THE SA 
(TUNNEL) BASED ON 
THE DIRECT TABLE 
INFORMATION 



S22 



S23 
1 



CHANGE THE 
SETTING TO THE 
DIRECT TUNNEL 



END 



DDT (DEFAULT/DIRECT TABLE) 



START POINT 
IP ADDRESS 



100.10.3.0/24 



100.10.4.0/24 



END POINT 
IP ADDRESS 



100.10.3.0/24 



100.10.4.0/24 



SAD (SECURITY ASSOCIATION TABLE) 



SECURITY 
POLICY 



ENCRYPTION 



ENCRYPTION 



IDENTIFICATION 



DIRECT 



DIRECT 



DRIVE REQUEST 
FLAG 



ON 



OFF 



LINK NO. 


TRANSFER 


SECURITY 


IDENTIFICATION 


DESTINATION ADDRESS 


POLICY 




1 


ROUTER 


ENCRYPTION 


DEFAULT 


2 


100.10.3.0/24 


ENCRYPTION 


DIRECT ; 



INITIATOR 



RESPONDER 



ACTION 
DR.SA 

DR, KE, Ni 

HDR, Idii, HASHJ 

HDR*, NO 



REQUEST FOR SETTING SA 
HDR, SA RESPONSE FOR SETTING SA 

KEY GENERATION REQUEST 
HDR, KE, Nr RESPONSE TO KEY GENERATION 

AUTHENTICATION REQUEST 
HDR*, Idii, HASHJ RESPONSE TO AUTHENTICATION 

INITIAL-CONTACT 



HDR: ISAKMP HEADER 
SA: SA NEGOTIATION PAYLOAD 
KE: KEY EXCHANGE PAYLOAD 
Ni, Nr: NONCE PAYLOAD 



Idii, Idir: ID PAYLOAD 
HASHJ, HASHj: HASH PAYLOAD 
NO: NOTIFICATION PAYLOAD 
*: ENCRYPTION PAYLOAD 



SPD (SECURITY POLICY DATABASE) 
(DIRECT ROUTE IS USED TO THE TERMINAL 31) 



DESTINATION 
ADDRESS 


LINK NO. 


IDENTIFICATION 


100.10.3.0/24 


1 


DEFAULT 


100.10.4.0/24 


1 


DIRECT 



SPD (SECURITY POLICY DATABASE) 
(DIRECT ROUTE IS USED TO THE TERMINAL 31) 



DESTINATION 
ADDRESS 


LINK NO. 


IDENTIFICATION 


100.10.3.0/24 


2 


DIRECT 


100.10.4.0/24 


1 


DIRECT 



Y 

FIG. 8 



TRAFFIC MONITORING 
PROCESS 



-S31 




S33 
\ 



CLEAR TH 
OF PACKE 



REQUEST THE 
CANCELLATION OF 
THE DIRECT TUNNEL 



E COUNT 
"S USING 



THE DIRECT ROUTE 



-S32 



CLEAR THE COUNT 
OF PACKETS USING 
THE DIRECT ROUTE 



"7 

S34 



S36 



S35- 



CLEAR THE COUNT 
OF PACKETS USING 
THE DEFAULT ROUTE 



REQUESTTHE 
SETTING OF 
DIRECT TUNNEL 

I 



CLEAR THE COUNT 
OF PACKETS USING 
THE DEFAU LT ROUTE 

T~ 
S37 



IS THE CHECK 
FOR ALL TUNNELS 
.COMPLETED?. 



END 



FIG. 9 



S41 

A 



REQUEST 
CANCELLATION 
OF THE DIRECT TUNNEL 



UPDA TE PROCESS OF SPD (SECURITY POLICY DATAB ASE) 



CHANGE THE CONNECTION 
FROM THE DIRECT 
TUNNEL TO THE 
DEFAULT TUNNEL 

I 
S42 



DESTINATION 
ADDRESS 


LINK NO. 


IDENTIFICATION 


100.10.3.0/24 


2 


DIRECT 


100.10.3.0/24 


1 


DEFAULT 


DESTINATION 
ADDRESS 


LINK NO. 


IDENTIFICATION 


100.10.3.0/24 


1 


DEFAULT 


100.10.3.0/24 


1 


DEFAULT 



DELETE THE SAD 
INFORMATION 
WHEN THERE IS NO SAME 
LINK IN THE SPD 

~7~~ 

S43 



DELETION 



SAD (SECURITY ASSOCIATION DATABASE) 



LINK NO. 


TRANSFER DESTINATION 
ADDRESS 


SECURITY POLICY 


IDENTIFICATION 


1 


100.10.2.0/24 


ENCRYPTION 


DEFAULT 


2 


100.10.3.0/24 


ENCRYPTION 






LINK NO. 


TRANSFER DESTINATION 
ADDRESS 


SECURITY POLICY 


IDENTIFICATION 




100.10.2.0/24 


ENCRYPTION 


DEFAULT 











DESTINATION 
ADDRESS 


DESTINATION TRANSFER 
ADDRESS 


SECURITY 
POLICY 




IDENTIFICATION 


DRIVE 
REQUEST 


100.10.3.0/24 


100.10.3.0/24 


ENCRYPTION 




DEFAULT 


OFF 


100.10.4.0/24 


100.10.4.0/24 


ENCRYPTION 




DIRECT 


OFF 



S44 



NOTIFY THE DISCONNECTION 

OF TUNNEL TO THE 
CONNECTING DESTINATION 
AND THEN DISCONNECT 
THE TUNNEL. DELETE 
THE SA BY TRANSMITTING 
THE CONTACT 



END 



FIG. 10 



